Google, for the second time this month, has removed malicious apps from Google Play that could have laid the groundwork for an attacker to root infected devices.
A researcher with Kaspersky Lab on Tuesday described how attackers managed to evade settings set in place by Google Play’s VerifyApps malware scanner in order to sneak malware onto unsuspecting users’ devices.
Earlier this month Google removed a rooting Trojan, Dvmap, from Google Play that was disguised as a puzzle game. If downloaded, the app could have rooted Android devices and injected malicious code into an infected device’s system.
The two apps that Google removed more recently, Magic Browser, and Noise Detector, were vehicles for the Ztorg Trojan, Kaspersky claims.
The more successful of the two apps, Magic Browser, mimicked the Google’s Chrome browser. It was installed 50,000 times after it was uploaded on May 15, but never was updated according to Roman Unuchek, a senior malware analyst with Kaspersky Lab an Android malware specialist who discovered the apps.
The other app, Noise Detector, claimed to measure noise with decibel software. It was uploaded on May 20 and downloaded more than 10,000 times before Google deleted it from the Play marketplace. Unuchek said it appeared the app’s original intent was to execute a rooting version of the Ztorg Trojan – it featured an encrypted Ztorg module – it just wasn’t able to decrypt it.
Instead it appears the attacker bided his time, choosing to update the app on and off, with clean, then malicious content. That likely afforded attackers the option to make money, via Ztorg’s SMS functionality, before actually rooting the devices.
Unuchek says that if the app hadn’t been removed from Play, publishing the rooting malware likely would have been the attackers’ next step. Adding this functionality could have also been what alerted Google to the Trojan’s presence, the researcher adds.
Once deployed, Ztorg Trojans traditionally collect information about the device, send it along to the attacker’s command and control server, and get to work doing the cybercriminals’ bidding. Attackers can leverage Ztorg’s SMS functionality to carry out a handful of tasks, including sending premium rate SMS messages, deleting incoming SMS messages, and switching off sound, Unuchek points out.
The concept of Android Trojans sending premium SMS messages is almost as old as Android malware itself; the technique has long been a way for cybercriminals to make quick, easy money.
Unuchek says that Magic Browser attempts to send SMS messages from 11 different places in its code. It sends out those SMS messages by processing web page loading errors with a command from the command and control server. The app can open advertising URLs on top of that.
Guide for Pokémon Go, a malicious Android app that was downloaded more than 500,000 times last summer during the height of the Pokémon Go phenomenon, was built around the Ztorg malware.
The app billed itself as a collection of tips and tricks for the game but in actuality contained a piece of code that rooted users’ devices. Google removed the app after Kaspersky Lab reported it to the company
The fact that attackers continue to update apps with benign, then malicious code can make it tricky, for users and Google Play, to determine an app’s true intent.
“The Ztorg Trojan continues to appear on the Google Play Store, accompanied by new tricks to bypass security and infect as many different Android devices and OS versions as possible. Even if a victim downloads what is clearly a clean app, there is no guarantee that it will still be clean in a few days’ time. Users, Google and security researchers need to remain vigilant at all times and to be proactive about protection,” Unuchek said.